LinkedIn hack: A new chance to fix bad passwords

By Kevin McCaney

Jun 07, 2012

The professional social networking site LinkedIn has invalidated about 6.5 million passwords that were recently stolen and posted on a Russian hacking site.

Since news of the breach began circulating June 6, security pros had been urging LinkedIn members to change their passwords, even if just as a precaution, and a website designer cooked up an easy way to check whether your password was among those that had been cracked.

Now, those whose passwords were stolen will have no choice, since they’ll find out when they try to log on that their old passwords are invalid. For most everyone else, however, changing passwords is still a good idea, experts say, especially if they have the kind of easily cracked passwords that this breach, like so many others before it, has exposed.

LinkedIn is e-mailing affected members with instructions on how to go about resetting their passwords, and has upgraded security on its password database, according to a company blog. And if victims used those passwords on other sites, they should change them, also.

The site, which caters to business circles, has about 160 million members worldwide, including quite a few government employees. In survey results released in April, for example, 35 percent of federal executives said they use LinkedIn.

The passwords were protected by unsalted SHA-1 encryption (salting is the process of adding random bits to the cryptographic key to make it harder to crack). The hacker who stole the hashed passwords posted them to get help in cracking them, and several hundred thousand reportedly had been broken.

Among them were the type of lame passwords revealed in other hacks, such as “123456,” “password,” “linkedinpassword,” “ihatemyjob,” and several profanities. But some slightly stronger passwords also were cracked.

Website designer Chris Shiflet checked and found that his password, made up of a chain of several words, was among those cracked. “It was my weak password, but it wasn't that weak,” he wrote in a blog post.

Checking to see if his was among the cracked passwords was pretty involved process, so he and a few friends came up with a simple application where users could check, which they dubbed LeakedIn.

LinkedIn’s move to invalidate the exposed passwords makes that step unnecessary, but changing passwords, especially if they’re weak and/or used on multiple sites, is still important.

Shiflet said the exposed passwords would likely be added to rainbow tables, which are used for reversing cryptographic hashes, and would be added (if they’re not there already) to dictionaries hackers use to crack passwords.

Passwords that make it into such lists should never be used, because they’re just that much easier to crack. And no password should be used on multiple sites, Sophos’ Graham Cluley pointed out in his blog.

Security pros, of course, have long recommended that people follow strong password policies, and people have long ignored that advice. A just-released survey by CreditDonkey, reported in ThreatPost, found that one-third of respondents said they had shared a password with a friend and used the same password on multiple sites. And studies of stolen passwords have consistently shown that many people use the simplest string of letters allowed.

For LinkedIn users, now might be a good time to get on board with better practices. And your better passwords also will be better protected, because LinkedIn’s blog said the company now has added salt to all the passwords in its database.